** JAVA RI Security Vulnerability has been announced.  See details by clicking here.

Certificate Policy and Practices Workgroup

CP v.1.2, Approved by Consensus on 01/25/2013

CP v 1.2.1, Approved by the DirectTrust Board of Directors on 12/15/2014



Workgroup Chair(s)

Don Jorgenson, Inpriva

Stephen Weiss, Senior Consultant, DirectTrust

Schedule for calls

Alternating Friday's at 2:00 pm ET 

Workgroup Objectives

The main objective of this workgroup has been to establish and maintain a Certificate Policy (CP) that will serve as a guide to Health Information Service Providers, HISPs, and their Certificate Authorities, CAs, as they implement Direct exchange programs and services. In keeping with the overall goal of DirectTrust.org to help assure stability and interoperability of Direct exchange between HISPs and their subscribers, the Workgroup will develop CPs that follow the structure of Internet Engineering Task Force (IETF) Internet X.509 Public Key Infrastructure (PKI) Certificate Policy and Certification Practices Framework (RFC 3647).

For the sake of convenience and clarity, the Workgroup has divided the broad universe of Direct exchange supplier and users into three communities: a Federal community, an Ecosystem community, and a Citizens community. The first objective of this Workgroup has been to address the anticipated needs for certificate policies and practices associated with the Ecosystem community, which is comprised of covered entities, their business associates, and other entities that have agreed to abide by HIPAA privacy and security rules and regulations. This would include most healthcare provider organizations, health plans, pharmacies, laboratories, and many other organizations that fall under the definition as HIPAA covered entities or their business associates.

The CPs established by this workgroup are intended to be fully consistent with the Federal Bridge Certificate Authority (FBCA) Certificate Policy. However, a DirectTrust.org CP is also intended to specify policies that further constrain the conditions under which a DirectTrust.org Ecosystem or Citizen conformant digital certificate may be issued. In any case where a DirectTrust.org CP is found inconsistent or incompatible with the FBCA CP, the incompatibilities will be addressed at the time of policy mapping.

The terms and provisions of any DirectTrust.org CP shall be interpreted under and governed by applicable Federal law.